locked
2008 R2 AD recycle bin - reasons why *NOT* to enable? RRS feed

  • Question

  • Other than OCS 2007 R2, is there any reason why I *wouldn't* want to enable active directory recycle bin service?

    The 'this is irreversible...' part kinda scares me.

    Monday, September 24, 2012 11:10 PM

Answers

  • We would be enabling it on clients domains that were built at the 2008 R2 FL.

    The only thing I can think of is that it does something to objects/containers that were deleted before the AD recycle bin was enabled, making it more difficult (or impossible) to recover those items using old traditional methods. Can anyone confirm?

    Objects that were deleted prior to enabling the Recycle Bin will remain as tombstones within the AD databases (ntds.dit) until the tombstone lifetime expires.  The existing tombtones will be unaffected by the Recycle Bin and you will be able recover them through the existing re-animation process (for all the good that does, given that most of the attributes are stripped when the object is tombstoned).  You also have the option to restore those objects using the authoritative restore method.

    Once the Recycle Bin is enabled, deleted objects (isDeleted=true) will be fully recoverable  for the period of the msDS-deletedObjectLifetime (default = 180 days) after which they will become tombstone objects (isRecycled=true) for the period of the tombstone lifetime (default = 180 days - unless the forest was created prior to 2003 SP1 in which case the default is 60 days).


    Alexei


    • Edited by Alexei Segundo Tuesday, September 25, 2012 1:17 AM
    • Proposed as answer by 朱鸿文 Tuesday, September 25, 2012 2:09 AM
    • Marked as answer by Alceryes Tuesday, September 25, 2012 2:25 PM
    Tuesday, September 25, 2012 1:16 AM

All replies

  • I've not heard any horror stories.

    It's considered a good practice to have some kind of delay between raising the forest functional level and enabling the Recycle Bin to provide an opportunity to revert in case any apps are adversely impacted by the new FL.


    Alexei

    Monday, September 24, 2012 11:27 PM
  • We would be enabling it on clients domains that were built at the 2008 R2 FL.

    The only thing I can think of is that it does something to objects/containers that were deleted before the AD recycle bin was enabled, making it more difficult (or impossible) to recover those items using old traditional methods. Can anyone confirm?

    Monday, September 24, 2012 11:52 PM
  • As far as I know, there are no disadvantages if you enable AD recycle bin, it's pretty safe.

    Also refer, similar discussion

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/8c022d58-4b4e-4072-9c4a-61d62a2dd70b


    Regards, Santosh

    I do not represent the organisation I work for, all the opinions expressed here are my own.

    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    • Proposed as answer by 朱鸿文 Tuesday, September 25, 2012 2:09 AM
    Tuesday, September 25, 2012 12:36 AM
  • We would be enabling it on clients domains that were built at the 2008 R2 FL.

    The only thing I can think of is that it does something to objects/containers that were deleted before the AD recycle bin was enabled, making it more difficult (or impossible) to recover those items using old traditional methods. Can anyone confirm?

    Objects that were deleted prior to enabling the Recycle Bin will remain as tombstones within the AD databases (ntds.dit) until the tombstone lifetime expires.  The existing tombtones will be unaffected by the Recycle Bin and you will be able recover them through the existing re-animation process (for all the good that does, given that most of the attributes are stripped when the object is tombstoned).  You also have the option to restore those objects using the authoritative restore method.

    Once the Recycle Bin is enabled, deleted objects (isDeleted=true) will be fully recoverable  for the period of the msDS-deletedObjectLifetime (default = 180 days) after which they will become tombstone objects (isRecycled=true) for the period of the tombstone lifetime (default = 180 days - unless the forest was created prior to 2003 SP1 in which case the default is 60 days).


    Alexei


    • Edited by Alexei Segundo Tuesday, September 25, 2012 1:17 AM
    • Proposed as answer by 朱鸿文 Tuesday, September 25, 2012 2:09 AM
    • Marked as answer by Alceryes Tuesday, September 25, 2012 2:25 PM
    Tuesday, September 25, 2012 1:16 AM
  • Hello,

    don't know about OCS but if you run the 2008 R2 functional levels i would use it. Big advantage for restoring accidentially deleted objects.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, September 25, 2012 6:41 AM
  • We would be enabling it on clients domains that were built at the 2008 R2 FL.

    The only thing I can think of is that it does something to objects/containers that were deleted before the AD recycle bin was enabled, making it more difficult (or impossible) to recover those items using old traditional methods. Can anyone confirm?

    I wouldn't be scared to enable this option because its a big enhancement to recover deleted object quickly w/o taking the dc into offline mode or require any kind of backup.Make sure below hotfix is deployed. You have to compromise, where size of the AD database increases with higher TSL period but, it has more advantages.

    http://blogs.technet.com/b/qzaidi/archive/2010/10/23/quickly-explained-active-directory-recycle-bin.aspx

    The size of the Active Directory increases rapidly on a Windows Server 2003-based or Windows Server 2008 R2-based domain controller that hosts the DNS Server role

    http://support.microsoft.com/kb/2548145


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, September 25, 2012 9:38 AM
  • Sorry for being almost a year late to the party :-)

    Another little known advantage that is gained after enabling the AD Recycle Bin is that the Infrastructure Master FSMO Role is no longer relevant since every DC will be maintaining its own phantoms:

    http://msdn.microsoft.com/en-us/library/cc223753.aspx

    Tuesday, August 27, 2013 8:36 PM